[Samba] Possible winbind bugs.

Chan Min Wai dcmwai at gmail.com
Thu Jul 10 10:05:26 MDT 2014 

Dear Steven,

It should if all you AD group are with GID. 
Try to add GID to all your AD group including the build-in. 

You should see that. 

If not you might found a new relevant bugs that we are not sure. 


Thank. 



Regards, 
Chan Min Wai 

> steve <steve at steve-ss.com> 於 10/07/2014 11:49 PTG 寫道:
> 
>> On Thu, 2014-07-10 at 16:28 +0100, Rowland Penny wrote:
>>> On 10/07/14 15:52, L.P.H. van Belle wrote:
>>> 
>>> 
>>>> -----Oorspronkelijk bericht-----
>>>> Van: rowlandpenny at googlemail.com
>>>> [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>>>> Verzonden: donderdag 10 juli 2014 16:28
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] Possible winbind bugs.
>>>> 
>>>>> On 10/07/14 14:51, steve wrote:
>>>>>> On Thu, 2014-07-10 at 19:20 +0800, Chan Min Wai wrote:
>>>>>> On Thu, Jul 10, 2014 at 6:12 PM, steve <steve at steve-ss.com> wrote:
>>>>>>>          On Thu, 2014-07-10 at 11:01 +0100, Rowland Penny wrote:
>>>>>>>> On 10/07/14 10:27, steve wrote:
>>>>>>>>> On Thu, 2014-07-10 at 13:25 +0800, Chan Min Wai wrote:
>>>>>>>>> Dear All,
>>>>>>>>> 
>>>>>>>>> I've found a strange behavior on Winbind +
>>>> getent group
>>>>>>>>> 
>>>>>>>>> If there are AD/winbind group didn't have any
>>>> unix gid...
>>>>>>>>> getent group will only show local group.
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> If all the AD/winbind group have unix gid
>>>>>>>>> getent will reply with all the group I have
>>>> included the
>>>>>>          AD/winbind group.
>>>>>>>>> 
>>>>>>>>> Did we have any bugs reported on this?
>>>>>>>>> 
>>>>>>>>> Thank You.
>>>>>>>> Hi Chan
>>>>>>>> 
>>>>>>>> Lots of confusion here.
>>>>>>>> 
>>>>>>>> I don't think it's a bug because it would be
>>>> reasonable to
>>>>>>          expect that
>>>>>>>> if we wish domain groups to behave as posix
>>>> groups, then
>>>>>>          we must play by
>>>>>>>> posix rules and include a gid. Otherwise nss
>>>> knows nothing
>>>>>>          about them.
>>>>>>>> 
>>>>>>>> As we understand, must haves:
>>>>>>>> Domain groups: gidNumber
>>>>>>>> Domain users: uidNumber and gidNumber
>>>>>>> Hi, I thought that, until it was pointed out
>>>> that if you use
>>>>>>          winbind,
>>>>>>> the users gidNumber is ignored and windbind pulls the
>>>>>>          gidnumber directly
>>>>>>> from the primary group.
>>>>>>> 
>>>>>>> So yes, the users primary group must have a
>>>> gidNumber, but
>>>>>>          the user does
>>>>>>> not need this added.
>>>>>>> 
>>>>>>> Rowland
>>>>>> 
>>>>>> 
>>>>>>          Hi
>>>>>>          Yes, we agree. However, for completeness (and for
>>>> those who do
>>>>>>          not use
>>>>>>          winbind) we mimic the Unix manner of obtaining the user's
>>>>>>          primary group:
>>>>>>          from the gidNumber listed in his DN.
>>>>>>          Just our translation of the evidence m'lud!
>>>>>>          Cheers
>>>>>> 
>>>>>> 
>>>>>> Hi,
>>>>>> 
>>>>>> 
>>>>>> What I meant is...
>>>>>> When using winbind
>>>>>> 
>>>>>> 
>>>>>> If there is even one AD Group without gid.
>>>>>> "gentent group" will return only local unix Group
>>>>>> 
>>>>>> 
>>>>>> Which shouldn't be right.
>>>>>> 
>>>>>> 
>>>>>> "getent group" should return all AD Group except the AD
>>>> group without
>>>>>> gid.
>>>>>> But our result here are different.
>>>>>> 
>>>>>> 
>>>>>> I believes that when getent group happen
>>>>>> winbind read a group without gid and it crash and return 0 to getent
>>>>>> and thus
>>>>>> 
>>>>>> 
>>>>>> getent group return only local unix group.
>>>>>> 
>>>>>> 
>>>>>> You can easily try this by.
>>>>>> 
>>>>>> 
>>>>>> You will want to turn winbind and idmap cache to as low as possible
>>>>>> for fast result like 1 seconds
>>>>>> like: (WARNING: Not to be use in actual production)
>>>>>> idmap cache time = 1
>>>>>> idmap negative cache time = 1
>>>>>> winbind cache time = 1
>>>>>> 
>>>>>> 
>>>>>> 1. Adding all AD group with unix gid
>>>>>> 2. gentent group return all local unix group + AD Group (if
>>>> you didn't
>>>>>> try to get back to your AD group and add all unix gid)
>>>>>> 3. Add one AD group without unix gid
>>>>>> 4. gentent group return only local unix group
>>>>>> 
>>>>>> 
>>>>>> Hope this explain...
>>>>> Hi
>>>>> Yes, sorry. I see what you mean now. Not had time to test, but if you
>>>>> want this to work with winbind, you have to make:
>>>>> objectClass: posixGroup
>>>>> visible in the group DN.
>>>>> Cheers,
>>>>> Steve
>>>> The fact that 'getent group' does not show AD groups is well known and
>>>> adding the posixGroup objectClass will not make it work!
>>>> 
>>>> You can either, add a gidNumber to every AD group (not really a good
>>>> idea), run 'getent group <AD group name>' or use something
>>>> else instead
>>>> of winbind.
>>>> 
>>>> Rowland
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>> Huh ?
>>> 
>>> when i add winbind in  /etc/nsswitch.conf
>>> and type getent group on my DC is see ALL my groups. local and AD\windows groups
>>> ( but i dont use that on my DC )
>>> 
>>> on my member i need to say :
>>> getent group "DOMAIN\Mygroup" or
>>> getent group "Mygroup"
>>> 
>>> getent group "Domain Users"
>>> domain users:x:5000:
>>> 
>>> and ONLY the group with gid will return.
>>> 
>>> and as far is i know this is by design.
>>> 
>>> 
>>> Louis
>> Hi Louis, The only problem I have with what you posted is the word 
>> 'design', I think that it is a long standing bug and hopefully when 4.2 
>> comes out, it will have been squashed.
>> 
>> Rowland
> 
> Hi
> Just to add that real winbind has _never_ returned domain groups from:
> getent group
> It only returns with:
> getent group <group>
> enum or no enum.
> HTH,
> Steve
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list